Ipv4 And Ipv6 Support - Cisco ASA Series Cli Configuration Manual

Licensing Requirements for Cisco Cloud Web Security
directly from the originally requested web server without contacting the proxy server. When it receives
the response from the web server, it sends the data to the client. This process is called "whitelisting"
traffic.
Although you can achieve the same results of exempting traffic based on user or group when you
configure the class of traffic using ACLs to send to Cloud Web Security, you might find it more
straightforward to use a whitelist instead. Note that the whitelist feature is only based on user and group,
not on IP address.

IPv4 and IPv6 Support

Cloud Web Security currently supports only IPv4 addresses. If you use IPv6 internally, NAT 64 must be
performed for any IPv6 flows that need to be sent to Cloud Web Security.
The following table shows the class map traffic that is supported by Cloud Web Security redirection:
Class Map Traffic
From IPv4 to IPv4
From IPv6 to IPv4 (using NAT64)
From IPv4 to IPv6
From IPv6 to IPv6
Failover from Primary to Backup Proxy Server
When you subscribe to the Cisco Cloud Web Security service, you are assigned a primary Cloud Web
Security proxy server and backup proxy server.
If any client is unable to reach the primary server, then the ASA starts polling the tower to determine
availability. (If there is no client activity, the ASA polls every 15 miniutes.) If the proxy server is
unavailable after a configured number of retries (the default is 5; this setting is configurable), the server
is declared unreachable, and the backup proxy server becomes active.
If a client or the ASA can reach the server at least twice consecutively before the retry count is reached,
the polling stops and the tower is determined to be reachable.
After a failover to the backup server, the ASA continues to poll the primary server. If the primary server
becomes reachable, then the ASA returns to using the primary server.
Licensing Requirements for Cisco Cloud Web Security
Model License Requirement
All models Strong Encryption (3DES/AES) License to encrypt traffic between the ASA and the Cloud Web
Security server.
On the Cloud Web Security side, you must purchase a Cisco Cloud Web Security license and identify
the number of users that the ASA handles. Then log into ScanCenter, and generate your authentication
keys.
Cisco ASA Series CLI Configuration Guide
1-6
Chapter 1 Configuring the ASA for Cisco Cloud Web Security
Cloud Web Security Inspection
Supported
Supported
Not Supported
Not Supported